On July 14, 2016, the U.S. Court of Appeals for the Second Circuit ruled that federal warrants under the Stored Communications Act (“SCA”) cannot be used to access customer data that is stored overseas. Microsoft Corp. v. United States, No. 14-2985 (2d Cir. July 14, 2016). It overturned the Federal District Court for the Southern District of New York’s July 2014 decision, and declined to apply the 30-year-old SCA to United States-based service providers that store data on servers located outside the United States. While this decision is viewed as a victory for privacy advocates and businesses that offer cloud computing services around the world, it is also another example of the ongoing battle about the scope of authority that the U.S. Department of Justice (“DOJ”) has to compel technology companies to assist in gathering customer data for investigations.
The case arose in 2013 when a federal judge in New York issued a warrant under the SCA in connection with a drug trafficking probe. The warrant sought to obtain customer data that was housed on Microsoft Corp.’s data servers located in Dublin, Ireland. The Government argued that because Microsoft is based in the United States, it has authority to force the company to produce the sought information, no matter where it is stored. Microsoft said it could not be compelled to comply with a U.S. warrant for information stored abroad.
Key Aspects from the Second Circuit Ruling
The Second Circuit’s analysis focused on the government’s authority to issue a warrant under the SCA, enacted in 1986 to extend privacy protections to electronic records and “protect user privacy in the context of new technology that required a user’s interaction with a service provider.” Microsoft Corp., slip op. at 6. The Second Circuit pointed out a number of key distinctions in ultimately ruling against the DOJ.
- Extraterritoriality: The Second Circuit dismissed the notion that the SCA contemplates extraterritorial application. “Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas.” Id. While the record was silent as to the citizenship of the customer whose data was sought, there was no dispute that the data was located in Ireland. The Court said that the fact that the data itself would be viewed in the U.S. was an argument of no consequence.
- Protectable Privacy Interest: The Government cited a number of cases where banks were required to disclose information contained in records overseas. However, the Court noted that “bank depositors have no protectable privacy interests in a bank’s records regarding their accounts.” Id. at 32. The Court drew a clear distinction and found a privacy interest in the electronic communications. The SCA “protects the privacy interests of users in many aspects of their stored communications from intrusion by unauthorized third parties.” Id. at 35. The users “hold a privacy interest in their stored electronic communications.” Id.
- Mutual Legal Assistance Treaties (“MLATs”): MLATs create obligations under international law for governments to assist one another in criminal investigations and prosecutions, and can be used to obtain evidence from another country. Currently, the United States has MLATs in place with every country in the European Union, including Ireland, providing a procedure to obtain the data. The Court rejected the Government’s argument that the SCA warrant should have been enforced in light of the cumbersome process that MLATs impose.
What Does the Decision Mean?
Many view this decision as another setback for the DOJ’s efforts to force companies to comply with orders to turn over customer data. The focus on the different standards applied based on the type of data sought also highlights the myriad of laws with which businesses must comply when storing customer data. Not only do many privacy laws and standards vary by state and by country, but also by industry. An understanding of the different rules, and the industries affected, are especially important for third party vendors that contract to store data.
If the decision stands, it will likely influence a company’s decision about where to store customer data. However, given the somewhat outdated application of the SCA, and the recent victories for technology companies, Congress may soon update the SCA, mandate some sort of data localization requirement, or perhaps issue an entirely new framework for compelling production of customer data stored overseas. The response of the Government to the Second Circuit’s decision may be a signal as to the direction of the next phase of the debate.